
INTRODUCTION
Quadrant was recently able to aid a client during an organization wide compromise by the Black Basta ransomware group. This group is a “Ransomware as a Service” (RaaS) organization known to target medium and large companies. The following contains an overview of the compromise as it progressed, as well a technical analysis of the malware and techniques observed, ranging from a successful phishing campaign to the attempted ransomware detonation. Although some exact details of the threat actor’s actions are still unknown, the evidence gathered has allowed for inferences into many of the gaps. The names of all clients, all accounts, and some files have been modified for client confidentiality. Indicators of compromise, including malicious domain names, have not been modified. Any log modification has been made to redact client information, break potential links, or for readability.
RELATED TO THIS STORY
- EXPERT INSIGHTS: BLACK BASTA BACKEND OPERATIONS
- PODCAST: BREAKING BADNESS – QUADRANT SECURITY | BLACK BASTA SPECIAL REPORT
The timeline below shows a high-level overview of the incident:

INITIAL ACCESS
The Threat Actor began this attack by compromising a user account at a third-party vendor (TPV). Although little is known to Quadrant about the compromise on the TPV, access allowed for the use of an "info@" account. The use of such an account would have allowed the Threat Actor to pose as the compromised user without creating extra "junk" in the user's inbox which could raise suspicion. Following initial phishing emails, the threat actor continued to submit additional phishing emails to the client via similar account names from different domains. Both samples reached their victims shortly after noon on the 20th of September
The phishing emails contained what was later determined to be "Qakbot," a sophisticated trojan. Following the infection, these hosts began to beacon on out to over 100 IP's using various ports. The client’s Cisco “Advanced Malware Protection” (AMP) detected a connection with one of these IP's over TCP port 2222. Although this did trigger an alert in AMP, the Quadrant ingestion of these logs was not configured, so this did not generate an alert through the Sagan Solution.
The Suricata engine did detect these connection attempts, however no alert was raised by the Packet Inspection Engine. Quadrant monitors companies' ingress and egress traffic using onsite Packet Inspection Engine (PIE) appliances running the Suricata Detection engine. Although many other rulesets are used to screen for malicious activity, Quadrant has custom rules in place to detect SSH over nonstandard ports, such as TCP 2222. These rules did not fire due to the absence of an SSH header in the traffic. One may assume that traffic over 2222 would be SSH traffic, however further analysis of the traffic generated by the Qakbot Sample in the lab shows that this connection was likely HTTPS in nature.
Eventually, the malware was able to find an active C2 server. It took about 35 minutes between initial infection and the first successful communication between a compromised host and the C2 domain. The second stage payload, which was later determined to likely be the penetration testing framework "Brute Ratel," was then downloaded via a connection to an IP from Russia.
PERSISTENCE AND ESCALATION OF PRIVILEGE
Following the compromise of two hosts and gaining a foot hold, lateral movement began. The client's full infrastructure is comprised of three domains: Construction, Commerce, and a Subsidiary. Both initial compromised hosts were in the Construction environment. These domains had shared trust and were connected via VPN tunnels which allowed the threat actor to move freely between domains.
We believe that multiple methods and tools were leveraged in order to do this. At this point, visibility becomes muddled due to the focus of observation and detection is ingress and egress traffic. However, following the investigation into the recorded logs and the follow-on detailed analysis of malware samples, we can make educated guesses on some of the missing pieces.
Initial lateral movement and the lay of the land was likely conducted using Brute Ratel. This was determined through a review of files found on one of the initially compromised hosts. One file, "zfgufgfvezdnbcvjkzctpvfdj.dll," matches the hash of previously submitted Brute Ratel samples.
Due to the lack of visibility, we were unable to find the initial connection from the two "Patient Zeros" to the local Domain Controller. However, after reaching the local DC, the attacker was able to gain a better lay of the land and observe the presence of the other two domains.
Initial Command and Control was conducted from "23[.]19[.]58[.]43"[zedorocop[.]com] and "23[.]106[.]160[.]141" [danimos[.]com]. The IP’s used for C2 and the level of interaction changed over time as the compromise grew. For example, mid-stage infections showed calls to "146[.]70[.]86[.]44"[gerhiles[.]com]. It’s important to note that the FQDN’s that were used as C2 were all registered the same month as the compromise.
Multiple administrative and system accounts were compromised during this incident. One possible explanation for this comes from “Kerberoasting”. This technique was observed in the Commerce environment through a sharp incline of Kerberos requests using RC4 encryption. We do not believe that this was successful in this environment, due in part to the lack of additional signs of compromise specific to this Domain. However, this technique was likely performed on the other two client domains where visibility gaps existed. This is further supported by the source and destination of these requests were cross domain: The source of the “Kerberoasting” was based in the Subsidiary environment and the Domain Controller that was attacked was in the Commerce environment.
Once administrative access had been achieved, the threat actor also added new administrative accounts to the environment.
PROPAGATION
Unknown to everyone but the attacker, multiple files were being transmitted throughout the environment:
Two file names were observed during the incident "Client_s.exe" and "Client.exe." It is expected that the different naming schemes are related to the different variations of the Black Basta ransomware. Although no sample was able to be provided for the Client.exe (which is believed to be the ESXi variant), Quadrant was able to obtain a copy of "Client_s.exe" for Windows hosts.
Two ".bat" files were sent throughout the organization. Both were designed to turn off antivirus and anti-malware software. One does not use any obfuscation and just contains the simple command to stop Cisco AMP Orbital. This could indicate that it was written hastily in order to get it onto the target environments quickly. The other, targeting Windows Defender, required multiple steps in order to view the commands.
Tox5, which appeared to be a component of Cobalt Strike, as well as Cobalt Strike beacon with the name of "Ticket-5731.xls."
These files continued to replicate throughout the organization though the use of Server qMessage Block (SMB), eventually spreading to almost every endpoint and server in two of the three domains. The attack on the Commerce domain does not appear to have been effective, outside of one host in a training environment. Most hosts in the Commerce environment HAD more restrictions placed on their operating system by default which likely contributed to the lack of success by the threat actors in the Commerce environment.
EXFILTRATION
Once a file server was identified, an FTP connection was established to an external site. This was not used for C2 activities but only for receiving the exfiltrated data. Suricata logs show that “RClone” was downloaded on the file servers in order to facilitate exfiltration of the logs. RClone is designed to transfer large volumes of data from one host to the cloud with ease. This legitimate program was abused by the attacker to steal client data.
DETECTION AND RESPONSE
The most critical asset of the Security Operations Center is the human SOC Analyst. A human can look at the totality of a situation and make a judgement call that no AI or automated process can. From the analyst's perspective, the only alert that was generated and brought to the SOC was a Suricata FTP rule looking for CVE 1999-0911, related to an overflow using the MKD command. This FTP command is defined as "...causes the directory specified in the pathname to be created on the server. If the specified directory is a relative directory, it is created in the client's current working directory."
Although many old signatures are decommissioned or otherwise suppressed, Quadrant leaves some rules in place as "hunting" rules. These are more focused on the overall techniques or "odd" traffic that could be an indicator of compromise. In this case, the analyst investigating the alert observed that this was technically a False Positive, as the command was not used in an abnormal fashion. However, looking at the destination, which had not been previously observed in the environment, the file names (which were quite varied), and the volume of the files outbound, the analyst decided to call the client to err on the side of caution. Had the analyst not conducted their due diligence or had this archaic signature been suppressed, it is highly likely that this compromise would not have been detected until after the encryption process had begun. The current list of rules developed following this incident can be found in I
The alert was submitted at 18:27 EDT on 9/21/2022. Just over 30 hours after the initial infection.
The client determined it to be out of the ordinary but was unaware of the extent of the compromise. However, during the course of the evening, it became apparent that something was greatly amiss. The following morning, the client’s CISO contacted the Quadrant team to report that there was indeed an active compromise within their environment.
The client provided malware samples from the phishing emails and the analysis began. Threat hunting was conducted within the logs. A dedicated “out of bands” communications channel was established between Quadrant and the clients. As more evidence was uncovered, the full threat began to be realized.
One aspect of the actions taken by the Incident Response team was a live log review. The term "look for anything suspicious" is often a nightmare of a request, because how does one truly define suspicious without a base line. However, with the amount of knowledge of the situation and years of experience on his side, a member of the I.R. team decided to look at the raw logs in real time to see if anything stood out. Windows Event logs and “clipboard” logs are collected using NXLog Enterprise. While clipboard logs are not stored on the local host, they are sent to the Sagan Log Analysis Engine for further analysis and retention. While examining this data, the I.R. team member became aware of the use of RDP by the Threat Actor by observing RDPClip.exe logging that looked, by definition, incredibly suspicious.
Among the many “clipboard” logs observed, "Client.exe -bomb," stood out. Although the full extent of the command was not realized at the time, due to the implied malice it was decided that now was the time to attempt to purge the threat actor.
The Clients response team locked out the accounts that were known to be compromised. However, the threat actor had complete control over the environment. Following the initial attempt to lock out the threat actor, the threat actor retaliated. This resulted in a catastrophic lockout of the client's staff and administrators.
This was not completely unexpected. Knowing that there was an ongoing data exfiltration attempt along with a full network compromise with a relatively short “dwell” time, plans had been put into place to restrict all access to the network in order to mitigate and prevent the threat actor from doing more damage. The client's staff was simply waiting on the “order” to halt the network.
After quick conference between Quadrant and the client, all parties agreed and the decision was made: At approximately 8:45pm on September 22, only 56 hours after the initial phishing email had been opened, the physical cables from between the domains as well as their connection to the Internet were pulled.
Because of the observation, hunting, and superior teamwork between the Quadrant team and the client, only a handful of ESXi servers were encrypted. Had the team not taken action to sever the Internet and domain connections, the encryption command would likely have replicated throughout the Construction and Subsidiary environments. With the assistance of a third-party incident response firm and constant ongoing contact with the Quadrant team, the client was able to slowly, systematically, and safely bring their servers on-line while purging any remains of the threat actor over the course of the next two weeks.
Ultimately, this was considered a success in defense of the client. But there were many lessons learned. Through the later review of the logging and after-action analysis of the event, more detections rules have been created to better alert on what visibility does exist in this, and many other, client environments.
TECHNICAL ANALYSIS
INITIAL ACCESS: QAKBOT INFECTION
The two phishing samples provided by the client show two different techniques:
Email response as part of an Email Chain: "Re: RE: Logistics":
The phishing email came from a legitimate vendor "stoneworkers". The phishing attachment was submitted to the target in a response to an ongoing conversation that was being held between a member of Quadrant’s client and the TPV. The attacker submitted the email from "info[@]stoneworkers[.]org" while posing as "jpeterman[@]stoneworkers[.]org". The email had applicable context and the email chain contains back and forth to another member of the TPV as well.
Cold Email: "Solution for Issue 37":
The phishing email came with no pretext from a site not used by the client. However, it is important to note that the site seems to be owned by a legitimate venture capital group, which may indicate a compromise of their organization or that the email account was spoofed. The attacker submitted the email from "support[@]capitalizedadventures[.]com" while posing as "Jay Peterman".
From the two phishing emails, both attachments contain similar malware. Only changes to the filenames and corresponding commands were observed between the two.
When downloaded, the initial attachment is a local HTML file. The web page claims to be an adobe site and that the attached document is a PDF which is password protected:
Using the password "abc888" to unzip the attachment, the user is presented with an ISO file. The two samples produced different ISO names: Claim_Copy_1796.iso and Claim_Copy_5898.iso.
The subdirectories to the fathomed directory, elude, omicron, and shabbily, are all empty as confirmed by navigating to them and running "ls -a" and returning no files. This was verified through "du -h" which resulted in 4.0k size, which is consistent of an empty directory.
When opened in a Windows environment the following is displayed:

The ISO mounts as a DVD Drive. The "Claim_Copy" shows the icon for windows file explorer. Clicking on these calls the corresponding JavaScript file contained within each iso.

In both cases the JavaScript files set several variables before running the ".cmd" file contained within the ISO. This is likely done as a method to avoid detection from Log Analysis Engines, such as the Sagan Engine, as well as other monitoring services such as Microsoft's Defender or Sentinel.

The command is called with echo off, so that no text will be displayed to the user. Ultimately, this CMD file calls the "db" file. In both samples, the "db" file is not a database, but is the actual Qakbot trojan.

Something interesting to note: the "campus.txt" contains an excerpt from "Through the Looking Glass" by Lewis Carol. This inclusion may be to add easily changeable padding to the ISO. Doing so would allow the easy addition or subtraction of data in order to change the ISO’s hash value without changing any important content of the executables.
Following detonation of Qakbot, the malware copied itself to "$CURRENTUSER\AppData\Roaming\Microsoft\Isoaahffo\djkuuhd.dll," as confirmed by the file's hashes shown below, and sets itself to auto run. Following this, the malware begins to beacon out to hard coded C2 servers. A breakdown of the observed IP’s and their ports can be found in the INDEX A below. This contains over 100 IP’s for potential C2 servers.

During the initial detonation of 5898, the process imbedded itself into wermgr.exe, the Windows Error Reporting Manager (Process ID 6660).



Further analysis of the registry keys added by the sample were able to be decrypted by leveraging the decryption script found at the link "https://github.com/drole/qakbot-registry-decrypt". These show the full path to the dropped file "xjkuuhd.dll" as well as the Qakbot campaign identifier: "obama206."


As with the case with other Qakbot investigations, multiple potential IP’s were observed during the testing. During the incident, the first warning sign of compromise came from the victims Cisco Advanced Malware Protection alerting. Cisco AMP detected an attempt to contact "76[.]169[.]76[.]44"[Van Nuys, CA] over TCP port 2222. It is interesting to note that other IP’s were attempted to be reached over port TCP 2222, however, this C2 node was the only IP to return any data over TCP port 2222, which may be why this alert triggered. According to Suricata logs, this was also the first IP that was reached out to via 2222. A later review of the logs revealed that the first attempt to contact the C2 ip’s ("61[.]70[.]29[.]53"[Taiwan]).

Due to TCP port 2222’s common use as an alternate port for SSH communication, the Malware Analyst recorded a manual SSH connection to the emulated C2 host in order to show the difference between an SSH connection and the connection made by the Malware sample. Evidence suggests that the sample does not communicate over SSH and the communication is consistent with HTTP/S traffic.

The malware analyst attempted to connect via SSH to the emulated C2 host. Note the first packet from the experimental machine to the emulated C2 device following the 3-way TCP handshake shows header information containing the OpenSSH client information. This was produced manually as an example of an SSH connection while SSH was running on the emulated C2 host on port 2222. An overview of the lab setup and tools can be found in INDEX B.

While continuing to run the SSH client on the emulated C2 device, the malware was detonated on the VM, we can see that the same packet following the 3-way handshake no longer contains SSH information but is detected as a Client Hello.

The emulated C2 Server is now running an HTTPS server on TCP port 2222. This PCAP above shows the conversation from the 3-way handshake to the resetting of the connection.
Following observation of the malware samples, we now know that most of the connection attempts to the C2 IP’s are conducted over TCP port 443. Because of the common use of this port, and the use of TLS in these connections, both attempts and the successful connections went undetected by Suricata and Cisco AMP.
Many of the connections over 443 resulted in minimal connections consistent with nothing more than TCP negations. However, IP’s "119[.]42[.]124[.]18"[Thailand] and "193[.]3[.]19[.]37"[Russia] showed multiple packets and data transferred, including the exchange of TLS certificates. The size and length of connection indicates that the second stage was downloaded from "193[.]3[.]19[.]37"[Russia].

The largest connection between P0 and the C2 domain. Because of the amount of data outbound, this also may indicate some data exfiltration or interaction with the downloaded second stage from the C2.
POST-EXPLOITATION TECHNIQUES, TACTICS, AND PROCEDURES
COMMAND AND CONTROL
Initial Command and Control was initially conducted from "23.19.58.43"[zedorocop[.]com] and "23.106.160.141" [danimos[.]com]. The IP’s used for C2 and the level of interaction changed over time as the compromise grew. For example, mid-stage infections showed calls to "146[.]70[.]86[.]44"[gerhiles[.]com]. It’s important to note that the FQDN’s that were used as C2 were all registered the same month as the compromise.

POTENTIAL COBALT STRIKE INSTALLATION - TOX5.EXE
Initial static review of the tox5 sample did not reveal much information, indicators show that this may have the ability to clear event logs.

A dynamic analysis of "Tox5" shows the malware drops itself in a randomly generated name folder under the "ProgramData" directory and adds itself to a scheduled task.


During the lab testing of the tox5 sample, we observed the sample gain persistence through duplication of the sample. This is observed below by comparing the file hashes for "tox5.exe" and "C:\ProgramData\lplshr\basinqt.exe."



Although no obvious signs of compromise were apparent to the user of the infected host, a review of the network traffic from the host showed the newly installed program reached out to "gerhiles[.]com", which had been observed during the incident as a Command and Control site.

Following the resolution of gerhiles[.]com, and the activation of "INetSim" to simulate a website, the PCAP above shows connections were attempted over port 4001.

Leveraging "netstat -a -n -o" revealed the PID of the service connecting on port 4001. Task manager was then use to reveal the service running on PID 3488, which was renamed instance of Tox5.
Because of the beaconing activity, persistence, and apparent ability to wipe event logs, it is likely that tox5 is a component of Cobalt Strike or similar framework.
LATERAL MOVEMENT: SMB AND RDP
Brute Ratel allows for lateral movement leveraging RPC to create SMB traffic. Although no direct RPC actions were observed, possibly from lack of logging or the method of RPC use, multiple logs throughout the incident show the transfer of files using SMB. Logging shows actions taken by the attacker that were recorded by RDPClip in the form of clipboard logging, indicating the use of Remote Desktop Protocol.[CI1] [SD2] After the connection to the internet and shared domains were severed, automated processes continued to propagate malware.
Files commonly observed transferred via SMB include:
- Black Basta Ransomware "Client_s.exe" and "Client.exe"
- Cobalt Strike beacon with the name of "Ticket-5731.xls"
- ".bat" files designed to disable Cisco AMP / Microsoft Defender
- W.bat
- Cc.bat

Clipboard logging Showing the Transfer of Cobalt Strike Beacons using RDPClip:
The first part of the command is below, with the payload redacted for size and ease of readability. This occurred immediately following the clipboard transfer of the command "net stop Cisco AMP".


The second encoded Base64 string was not only base64 but also Gziped for size and obfuscation. This shows the decoded and uncompressed data.

Leveraging the Cobalt Strike payload decoder from Github user "0xtornado" shows that the payloads were sent using the user agent below.

Additional Files and commands observed transferred detected via clipboard logging:
The following 31 commands were ran between Sep 22, 2022 @ 20:01:39.000 and Sep 22, 2022 @ 20:02:46.000. The syntax indicates these are the commands used to reset the administrative passwords following the attempted lock out of the threat actor.

According to Google translate, the Russian phrases translate to "bury along the way" and "launch with balloons". This may be direct translations, however adding any additional character following the Russian phrases changes the translation to "Lock on Path", and "launch with balls" respectfully. Also note the use of "-forcepath" and "-bomb".

A search of Active Directory for users whose passwords never expire, and the last set date while writing to a file for later exfiltration:

Stopping Cisco AMP / Disabling Microsoft Defender, these are the same commands as observed in the ".bat" files:

Transfer and use of Ticket-5731.xls (determined to be Cobalt Strike):

Url to download "cob_12.dll" and "tox5.exe". Although cob_12.dll was not collected for technical sample, tox5.exe was reviewed:

Clipboard logging showing the “uninstall” commands for Windows Defender:

Adding an Admin to ESXi environment:

Domain Controller detection:

Connection attempt to a "SH/WEB" domain:

Command showing the use of "Bitsadmin" to transfer the Black Basta Ransomware:

Connection from Client by threat actor:

DISABLING ANTIVIRUS/MALWARE SOFTWARE USING ".BAT" FILES
The two ".bat" files that were sent throughout the organization were both designed to turn off Antivirus and Antimalware software. It is interesting to note that “cc.bat” does not use any obfuscation and just contains the simple command to stop AMP Orbital. This could indicate that it was written hastefully in order to get it onto the target environment.
"cc.bat" is a simple script designed to stop Cisco AMP.

“W.bat”, on the other hand, has some simple but clever obfuscation in place. When using "vim” or another text editor, the .bat file appears to contain Chinese characters. However, performing "cat" or "strings" reveals the actual data. This uses a mixture of disguising the ASCII as UTF-16 via manipulating the start of the file, as well as obfuscating the data using a simple cypher. The strings of characters following "set" act as the key. When the script is executed, the system will swap out the numbers in the body for the place in the key string. The link from Superuser[.]com in INDEX D goes into more specifics on how this is done.
"w.bat" as viewed through a text editor. For this example, the text editor "vim” was used to open the file:

"w.bat" as viewed through the bash command "cat":

After copying and pasting the body of "w.bat" into its own text document "w.txt", the team was able to run a lengthy "sed” command against the file to reveal the below:

The sed statement used to decode the body of "w.bat":

EXFILTRATION THROUGH RECLONE
Once the file server was identified, an FTP connection was established to an external site. This was not used for C2 activities but only for receiving the exfiltrated data. Over the past several years, multiple cyber security firms and the FBI have posted increased observation of the use of “RClone” to exfil data. Suricata logs show that RClone was downloaded on the file servers in order to facilitate exfiltration of the logs.

Suricata Flow log from "Subsidiary PIE" to the IP resolved for “Rclone”. This likely shows the connection containing the download of RCLONE.

First connection on Subsidiary PIE to the external file dump:

First connection on Construction PIE to the external file dump. (Other logs are available showing the DNS request and download of RClone for the Construction domain as well):

ENCRYPTION VIA BLACK BASTA RANSOMWARE
Two file names were observed during the incident "Client_s.exe" and "Client.exe." It is expected that the different naming schemes are related to the different variations of the ransomware. Although no sample was able to be provided for Client.exe (which is believed to be the ESXi variant), Quadrant was able to obtain a copy of "Client_s.exe" for Windows hosts.
From a static malware analysis review, very little was initially able to be obtained from the sample aside from the ".basta" suffix and a relation to "Fax."

Static analysis conducted inside of x32dbg, showing a relation to "FAX" and the potential use of the directory "ProgramData":

Upon detonation, running the malware sets itself up as the service "Fax" and enables it to start during safe boot. The ransomware then proceeds to restart into safe mode using bcdedit.exe. BCDEdit is a command line program in windows which is used to modify the “Boot Configuration Data.” While in safe mode, the encryption of files occurs. Once the encryption is complete, the system is then restarted into the standard operating mode.

Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON, which indicates the creation of a Mutex:

Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON, which shows the addition of "Fax" to the registry allowing it to start in Safemode:

Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON which shows the use of BCDEdit to restart the host into safemode with networking:

Following infection, the host restarts into safe mode where the encryption action takes place:

Following the encryption, the computer then restarts into standard mode. The background has been replaced to show "Your Network is Encrypted by the Black Basta group. Instruction in the file readme.txt" the only files still accessible to the user are the "readme" files.

During the end state of the active compromise, two flags were observed in Clipboard logging, "-bomb" and "-forcepath". The writeups conducted by "Northwave-Security" and "Deepinstinct" share more light onto these flags. These show that "bomb" designates a full detonation of all reachable hosts, and "forcepath" is for a specific instance or directory. According to the recent writeups above, this indicates that this is one of the newest renditions of the malware.
We are attempting to better understand the use of the "-bomb" flag and how it communicates with the other infected machines. It is likely that the reason the machine is restarted into safe mode with networking indicates that this communication may occur at this time.
INDEX A: INDICATORS OF COMPROMISE
FILE NAMES AND HASH VALUES
File Name |
SHA-256 Hash |
Claim_Copy_1796.iso |
2cf56e6c050d0c9d8ada6cdb79a8ed2b8bbc25cd7d33ccc79aeedb31b5ad00df |
damagesMeaning.js |
7a39324822941014609f0fd7d05f1adbbccc3f36d79103e2589251680f3b6c63 |
centipede.gif |
e8f5fa12faea9430645853fbb24ce46a5a62cb906168dd17b62d865ddfe201e3 |
DecomposedLoners.cmd |
cd5b4bd824bad0be78e4cdf6d7fe8a950bd63f294713b8cb49de887d8a8410bc |
excite.jpg |
4fd4fdedb11b76a24fba289e0b3a8ed07261f98d279932420c7af779663605f8 |
sinkers.db |
c4875bd0683467c1e5d44f80b1d5abf6ac9b6f5bf5b6750a1e653416a68ed006 |
Claim_Copy_5898.iso |
474b800fa4f8c2638607b012029cb134b58534e7817fbf3658c9c1d8c78204fa |
Claim_Copy.lnk |
e2eb9029fd993a9ab386beb7ca4fa21a1871dc0c7568eb802cac1ea3c53cad8b |
campus.txt |
319704f093b71286985716d87c6fb20d6ddc334be6f1ccc042de8c73f7f5df36 |
centipede.gif |
e8f5fa12faea9430645853fbb24ce46a5a62cb906168dd17b62d865ddfe201e3 |
clockwatcherMinty.js |
14d53c3d675458863ee2b336a4203f680932181ff5db99bb2f1640ffd44947b5 |
excite.jpg |
4fd4fdedb11b76a24fba289e0b3a8ed07261f98d279932420c7af779663605f8 |
meddled.db |
4f7d97bf4803bf1b15c5bec85af3dc8b7619fe5cfe019f760c9a25b1650f4b7c |
unspoolingPeak.cmd |
4b3eb841b765c4aeb6b273e42a60e1f8ba3d3d94c613a27cd6446a354c2b7285 |
w.bat |
4e54d7ed5055bc0e7858d49aaec17bd3ed69e8da94262c6a379ddd81abc31b5e |
cc.bat |
90e9bd336e51c88002e5e9a109c5fb0e57d2c90cd54d4bc7480b69fa302beb73 |
tox5.exe |
d4dd79c97b091dd31791456c56d727eb0b30af9c0172dd221556d28495b8a50f |
Client.exe |
5b8bf891808be44f24156cf5430730e610c0df6eaaa4b062623a7a675d234b62 |
Cleint_s.exe |
17eccc7e2ce38dafd41d68861da636d7c05290b95d4fd75ec87b819094702cf6 |
Zfgufgfvezdnbcvjkzctpvfdj.dll |
62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967 |
HARDCODED IP'S OBSERVED FROM QAKBOT SAMPLES
IP |
Port Observed |
Country |
AbuseIPDB Score |
1.10.253.207 |
443 |
Thailand |
0 |
2.89.78.130 |
993 |
Saudi Arabia |
0 |
14.183.63.12 |
443 |
Viet Nam |
0 |
27.73.215.46 |
32102 |
Viet Nam |
0 |
31.166.116.171 |
443 |
Saudi Arabia |
30 |
31.32.180.179 |
443 |
France |
0 |
31.54.39.153 |
2078 |
United Kingdom |
0 |
37.37.206.87 |
995 |
Kuwait |
0 |
37.76.197.124 |
443 |
Palestine |
0 |
41.103.226.172 |
443 |
Algeria |
0 |
41.105.197.244 |
443 |
Algeria |
0 |
41.107.78.223 |
995 |
Algeria |
0 |
41.142.132.190 |
443 |
Morocco |
0 |
41.69.103.179 |
995 |
Egypt |
0 |
41.96.171.218 |
443 |
Algeria |
0 |
45.160.124.211 |
995 |
Brazil |
0 |
45.183.234.180 |
443 |
Brazil |
0 |
45.241.140.181 |
995 |
Egypt |
0 |
45.51.148.111 |
993 |
United States of America |
0 |
46.116.229.16 |
443 |
Israel |
0 |
46.186.216.41 |
32100 |
Kuwait |
0 |
47.146.182.110 |
443 |
United States of America |
0 |
61.105.45.244 |
443 |
Korea (Republic of) |
0 |
61.70.29.53 |
443 |
Taiwan |
0 |
62.114.193.186 |
995 |
Egypt |
0 |
64.207.215.69 |
443 |
Afghanistan |
0 |
66.181.164.43 |
443 |
Mongolia |
0 |
68.129.232.158 |
443 |
United States of America |
0 |
68.151.196.147 |
995 |
Canada |
0 |
68.224.229.42 |
443 |
United States of America |
0 |
68.50.190.55 |
443 |
United States of America |
0 |
68.53.110.74 |
995 |
United States of America |
0 |
70.49.33.200 |
2222 |
Canada |
0 |
70.51.132.197 |
2222 |
Canada |
0 |
70.81.121.237 |
2222 |
Canada |
0 |
71.10.27.196 |
2222 |
United States of America |
0 |
72.66.96.129 |
995 |
United States of America |
0 |
72.88.245.71 |
443 |
United States of America |
0 |
76.169.76.44 |
2222 |
United States of America |
0 |
78.182.113.80 |
443 |
Turkey |
0 |
81.214.220.237 |
443 |
Turkey |
0 |
81.56.22.251 |
995 |
Italy |
0 |
83.110.219.59 |
993 |
United Arab Emirates |
0 |
84.238.253.171 |
443 |
Bulgaria |
0 |
84.38.133.191 |
443 |
Netherlands |
0 |
85.114.110.108 |
443 |
Palestine |
0 |
85.139.203.42 |
32101 |
Portugal |
0 |
85.98.206.165 |
995 |
Turkey |
0 |
85.98.46.114 |
443 |
Turkey |
0 |
87.220.229.164 |
2222 |
Spain |
0 |
87.243.113.104 |
995 |
Bulgaria |
0 |
87.75.195.211 |
443 |
United Kingdom |
0 |
88.231.221.198 |
443 |
Turkey |
0 |
88.231.221.198 |
995 |
Turkey |
0 |
88.232.207.24 |
443 |
Turkey |
0 |
88.242.228.16 |
53 |
Turkey |
0 |
88.245.168.200 |
2222 |
Turkey |
0 |
88.246.170.2 |
443 |
Turkey |
0 |
88.251.38.53 |
443 |
Turkey |
0 |
89.211.217.38 |
995 |
Qatar |
0 |
89.211.223.138 |
2222 |
Qatar |
0 |
91.116.160.252 |
443 |
Spain |
0 |
94.99.110.157 |
995 |
Saudi Arabia |
0 |
95.136.41.50 |
443 |
Portugal |
0 |
98.180.234.228 |
443 |
United States of America |
0 |
99.232.140.205 |
2222 |
Canada |
0 |
99.253.251.74 |
443 |
Canada |
0 |
100.1.5.250 |
995 |
United States of America |
0 |
102.101.231.141 |
443 |
Morocco |
0 |
102.184.151.194 |
995 |
Egypt |
0 |
102.38.97.229 |
995 |
South Africa |
0 |
102.40.236.32 |
995 |
Egypt |
0 |
105.105.104.0 |
443 |
Algeria |
0 |
105.111.60.60 |
995 |
Algeria |
0 |
105.99.80.23 |
443 |
Algeria |
0 |
109.155.5.164 |
993 |
United Kingdom |
0 |
109.200.165.82 |
443 |
Yemen |
0 |
110.4.255.247 |
443 |
Japan |
0 |
113.22.102.155 |
443 |
Viet Nam |
0 |
118.174.200.169 |
995 |
Thailand |
0 |
118.216.99.232 |
443 |
Korea (Republic of) |
0 |
118.68.220.199 |
443 |
Viet Nam |
0 |
119.42.124.18 |
443 |
Thailand |
0 |
119.82.111.158 |
443 |
India |
0 |
123.240.131.1 |
443 |
Taiwan |
1 |
134.35.9.144 |
443 |
Yemen |
0 |
138.0.114.166 |
443 |
Brazil |
0 |
139.195.132.210 |
2222 |
Indonesia |
0 |
139.195.63.45 |
2222 |
Indonesia |
0 |
141.164.254.35 |
443 |
Saudi Arabia |
0 |
151.234.63.48 |
990 |
Iran (Islamic Republic of) |
0 |
154.181.203.230 |
995 |
Egypt |
0 |
154.238.151.197 |
995 |
Egypt |
0 |
154.246.182.210 |
443 |
Algeria |
0 |
156.213.107.29 |
995 |
Egypt |
0 |
156.219.49.22 |
995 |
Egypt |
0 |
160.152.135.188 |
2222 |
Nigeria |
0 |
160.176.204.241 |
443 |
Morocco |
0 |
167.60.82.242 |
995 |
Uruguay |
0 |
169.1.47.111 |
443 |
South Africa |
0 |
171.238.230.59 |
443 |
Viet Nam |
0 |
171.248.157.128 |
995 |
Viet Nam |
0 |
173.218.180.91 |
443 |
United States of America |
0 |
176.42.245.2 |
995 |
Turkey |
0 |
177.255.14.99 |
995 |
Colombia |
0 |
179.108.32.195 |
443 |
Brazil |
0 |
179.223.89.154 |
995 |
Brazil |
0 |
179.24.245.193 |
995 |
Uruguay |
0 |
180.180.131.95 |
443 |
Thailand |
0 |
181.111.20.201 |
443 |
Argentina |
0 |
181.118.183.123 |
443 |
Argentina |
0 |
181.127.138.30 |
443 |
Paraguay |
0 |
181.231.229.133 |
443 |
Argentina |
0 |
181.56.125.32 |
443 |
Colombia |
0 |
181.80.133.202 |
443 |
Argentina |
0 |
181.81.116.144 |
443 |
Argentina |
0 |
182.213.208.5 |
443 |
Korea (Republic of) |
0 |
184.82.110.50 |
995 |
Thailand |
0 |
184.99.123.118 |
443 |
United States of America |
0 |
186.105.182.127 |
443 |
Chile |
0 |
186.120.58.88 |
443 |
Dominican Republic |
0 |
186.154.92.181 |
443 |
Colombia |
0 |
186.167.249.206 |
443 |
Venezuela (Bolivarian Republic of) |
0 |
186.50.245.74 |
995 |
Uruguay |
0 |
187.205.222.100 |
443 |
Mexico |
0 |
188.157.6.170 |
443 |
Hungary |
0 |
189.19.189.222 |
32101 |
Brazil |
0 |
190.158.58.236 |
443 |
Colombia |
0 |
190.44.40.48 |
995 |
Chile |
0 |
190.59.247.136 |
995 |
Trinidad and Tobago |
0 |
191.254.74.89 |
32101 |
Brazil |
0 |
191.84.204.214 |
995 |
Argentina |
0 |
191.97.234.238 |
995 |
Argentina |
0 |
193.3.19.37 |
443 |
Russian Federation |
0 |
194.166.205.204 |
995 |
Austria |
0 |
194.49.79.231 |
443 |
United States of America |
0 |
196.112.34.71 |
443 |
Morocco |
0 |
196.92.172.24 |
8443 |
Morocco |
0 |
197.11.128.156 |
443 |
Tunisia |
0 |
197.204.243.167 |
443 |
Algeria |
0 |
197.49.50.44 |
443 |
Egypt |
0 |
197.94.84.128 |
443 |
South Africa |
0 |
201.177.163.176 |
443 |
Argentina |
0 |
210.195.18.76 |
2222 |
Malaysia |
0 |
211.248.176.4 |
443 |
Korea (Republic of) |
0 |
212.156.51.194 |
443 |
Turkey |
0 |
219.69.103.199 |
443 |
Taiwan |
0 |
220.116.250.45 |
443 |
Korea (Republic of) |
0 |
ADDITIONAL IP'S OBSERVED
IP |
Domain |
Country |
Abuseipdb Score |
23.106.123.13 |
NA |
Singapore |
0 |
23.106.160.141 |
danimos[.]com |
United States of America |
0 |
23.19.58.43 |
zedorocop[.]com |
United Kingdom |
0 |
23.29.115.172 |
NA |
United States of America |
0 |
45.132.226.209 |
NA |
Switzerland |
3 |
45.134.22.54 |
NA |
Italy |
0 |
45.153.241.64 |
NA |
Germany |
0 |
45.61.138.29 |
NA |
United Kingdom |
0 |
45.86.200.21 |
NA |
Netherlands |
0 |
45.86.200.77 |
NA |
Netherlands |
0 |
45.89.242.2 |
NA |
United Kingdom |
1 |
47.87.229.39 |
temp[.]sh |
United States of America |
0 |
64.52.80.212 |
NA |
United States of America |
0 |
78.141.213.249 |
NA |
Netherlands |
0 |
104.194.10.130 |
NA |
United States of America |
0 |
104.243.38.65 |
NA |
United States of America |
0 |
138.199.59.52 |
NA |
Poland |
0 |
146.70.106.61 |
NA |
Netherlands |
0 |
146.70.86.44 |
gerhiles[.]com |
Netherlands |
0 |
151.236.28.34 |
NA |
Netherlands |
0 |
172.93.100.71 |
NA |
United States of America |
0 |
176.10.80.37 |
NA |
United Kingdom |
0 |
176.90.193.145 |
NA |
Turkey |
0 |
185.163.110.124 |
NA |
Romania |
0 |
185.77.218.10 |
NA |
Finland |
0 |
194.37.97.161 |
NA |
United States of America |
0 |
194.5.53.215 |
NA |
France |
0 |
194.5.53.86 |
NA |
France |
0 |
207.229.167.36 |
NA |
United States of America |
100 |
212.30.37.227 |
NA |
Netherlands |
0 |
INDEX B: MALWARE ANALYSIS LAB AND TOOL OVERVIEW
The lab environment consisted of three Virtual Machines running inside of VMWare Workstation 16 Pro. The network was configured not to allow any connection to the internet.
HOST 1: ANALYSIS HOST
The analysis host ran the Linux distro "REMnux." Upon startup, an iptables setup script was ran containing all the hardcoded C2 IP’s for the Qakbot malware. This was done in order to all the malware to communicate with the hard coded IP’s without allowing commination to a C2 host.

Additional software used during the analysis includes:
Wireshark: Network packet capture and analysis
Inetsim: An "Internet Simulation" tool which creates fake http and other services for malware samples to interact with.
FakeDNS: A fake DNS service which responds with a predetermined IP. Default IP is the host FakeDNS is installed on.
Readpe.py: Used to read Portable Executable files.
HOST 2: EXPERIMENTAL HOST
The experimental host rans Windows 10 build 19041. This host was used for detonation of the malware samples provided by the client.
NXlog is installed on this host. Windows logging is forwarded to Host 3.
Host 1 is configured to be the internet gateway. Aside from the logging connection to host 3, all other connections are forced through Host 1.
Additional software used during the analysis includes:
X32dbg: Interactive debugging program.
Regshot: Captures a "snapshot" of the registry before and after detonation of a sample to observe the changes on the host.
Wireshark: Network packet capture and analysis.
Qakbot Registry Decryption Tool: Used to decrypt Qakbot registry entries.
HOST 3: LOGGING HOST
The logging host runs Debian 11. This host only receives windows logging from Host 2.

INDEX C: LIST OF SAGAN RULES DEVELOPED FROM THIS INCIDENT
Rules that were developed following this incident. A full list of Sagan Rules can be found on github.com/quadrantsec/sagan-rules
Rule Name |
SID |
[CISCO-SECUREENDPOINT] Exploit attempt was detected |
5008352 |
[CISCO-SECUREENDPOINT] Exploit attempt was prevented |
5008355 |
[CISCO-SECUREENDPOINT] Event Engine Detection |
5008356 |
[WINDOWS-CLIPBOARD] Get-ADGroupMember Command |
5008362 |
[WINDOWS-CLIPBOARD] Get-ADUser Command |
5008363 |
[WINDOWS-CLIPBOARD] Service being stopped |
5008364 |
[WINDOWS-CLIPBOARD] Powershell Policy Bypass Command |
5008365 |
[WINDOWS-CLIPBOARD] Disable Windows Defender Command |
5008366 |
[WINDOWS-CLIPBOARD] Disable Realtime Monitoring Command |
5008367 |
[WINDOWS-CLIPBOARD] Uninstall Windows Defender Command |
5008368 |
[WINDOWS-CLIPBOARD] Remoe-exec psexec command |
5008369 |
[WINDOWS-CLIPBOARD] Powershell encodedcommand |
5008370 |
[WINDOWS-CLIPBOARD] rundll32 command |
5008371 |
[WINDOWS-CLIPBOARD] rundll32 command with DllRegisterServer |
5008372 |
[WINDOWS-CLIPBOARD] net commands |
5008373 |
[WINDOWS-CLIPBOARD] net commands |
5008374 |
[WINDOWS-CLIPBOARD] query user command |
5008375 |
[WINDOWS-CLIPBOARD] rwinsta command |
5008376 |
[WINDOWS-CLIPBOARD] nltest command |
5008377 |
[WINDOWS-CLIPBOARD] netstat output v1 |
5008378 |
[WINDOWS-CLIPBOARD] netstat output v2 |
5008379 |
[WINDOWS-CLIPBOARD] copy from share drive to local C: command |
5008380 |
[WINDOWS-CLIPBOARD] bitsadmin file transfer command |
5008381 |
[WINDOWS-CLIPBOARD] proxychains command |
5008382 |
[WINDOWS-SECURITY] Service being stopped by net command v1 |
5008343 |
[WINDOWS-SECURITY] Service being stopped by net command v2 |
5008344 |
[WINDOWS-SECURITY] Disable Windows Security |
5008347 |
[WINDOWS-SECURITY] Copied rundll32 command executing non-standard dll |
5008348 |
[WINDOWS-SECURITY] Possible UAC Bypass - Rundll32.exe using DLLRegister |
5008351 |
[WINDOWS-SECURITY] Exfil software rclone detected |
5008354 |
[WINDOWS-SECURITY] A service was installed in the system (powershell) |
5008357 |
[WINDOWS-SECURITY] A service was installed in the system (DllRegisterServer) |
5008358 |
[WINDOWS-SECURITY] A service was installed in the system (rundll32 .xls) |
5008359 |
[WINDOWS-SECURITY] A service was installed in the system (rundll32 public directory) |
5008360 |
[WINDOWS-SECURITY] Blackbasta ransomware file extension detected (.basta) |
5008361 |
[WINDOWS-SYSMON] CMD executed from spool directory |
5008345 |
[WINDOWS-SYSMON] Rundll32 network connection detected |
5008346 |
[WINDOWS-SYSMON] Possible Traversal - File created in Public directory |
5008349 |
[WINDOWS-SYSMON] Possible hidden service installed |
5008350 |
[WINDOWS-SYSMON] Process Injection - Rundll32 remote thread into winlogon |
5008353 |
[WINDOWS-SYSMON] Safeboot Registry Entry - Possible Blackbasta |
5008399 |
INDEX D: REFERENCES
-Deepinstinct’s review of similar Black Bast activity
https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence
-Northwaves review of similar Black Basta activity to include the use of Qbot and Ransomware
https://northwave-security.com/en/black-basta-blog/
-VirusTotal results for the file has of zfgufgfvezdnbcvjkzctpvfdj.dll, indicating Brute Ratel
https://www.virustotal.com/gui/file/62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967
-Brute Ratel and the use of PSEexc showing use of SMB for Remote Control:
https://bruteratel.com/tabs/badger/commands/psexec/
-Brute Ratel and RPC Services:
https://bruteratel.com/tabs/badger/commands/services/
-Recent warning regarding use of RCLONE by threat actors "Daixin Team"
https://www.cisa.gov/uscert/ncas/alerts/aa22-294a
-Qakbot Registry Decryption Tool
https://github.com/drole/qakbot-registry-decrypt
-Cybercheif recipe to extract and decode Shellcode from Bobal Strike Beacon
https://gist.github.com/0xtornado/69d12572520122cb9bddc2d6793d97ab
-Decoding of files similar to "w.bat"
https://superuser.com/questions/1676713/how-to-decode-contents-of-a-batch-file-with-chinese-characters
-Quadrant’s Github page for the Sagan Log Analysis Engine
https://github.com/quadrantsec/sagan-rules
For more information regarding this analysis interested parties should contact [email protected]
